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SUMMARY 


The National Aeronautics and Space Administration (NASA), the U.S. Air Force 
(USAF), and the U.S. Navy (USN), along with other government agencies, are con- 
ducting various studies of existing and projected engine control systems to investi- 
gate the capabilities and performance of various fault detection and accommodation 
(FDA) schemes. These studies have made extensive use of analytical methods and simu- 
lations. Limited altitude testing has also been accomplished in support of these 
studies. With the advancement of the full-authority digital engine control systems, 
there has been an increasing desire to perform in-flight evaluations of FDA method- 
ology for substantiating the predictions and facility results of the studies. Recent 
flight tests of the digital electronic engine control (DEEC) in an F-15 airplane have 
shown discrepancies between flight results and predictions based on simulation and 
altitude testing, and thus reinforce the need for flight evaluations. However, the 
difficulty of inducing realistic faults in flight has so far minimized flight testing 
of the FDA logic. 

The DEEC is a full-authority, engine-mounted, fuel-cooled digital electronic con- 
trol system that performs the functions of the standard F100 engine hydromechanical 
unified fuel control and the supervisory digital engine electronic control. The DEEC 
consists of a single-channel digital controller with selective input-output redun- 
dancy, and a simple hydromechanical backup control. The FDA features of the system 
are a significant portion of the control program. During the course of the recent 
flight program, the DEEC detected and accommodated two sensor faults, with no false 
failure indications. 

An opportunity exists to conduct further flight evaluations of the DEEC FDA in 
the near future. The objectives of the program will be to induce selected faults 
and evaluate the resulting actions of the controller. Comparisons will be made 
between the flight results and predictions, as part of the evaluation. It is 
anticipated that the FDA data base will be expanded and techniques developed for 
safely evaluating FDA methodology in flight that may be useful on future programs. 

This paper will describe the FDA methodology and logic currently in the DEEC 
system, and discuss the results of the flight failures that have occurred to date. 

The proposed flight program and anticipated results will be presented at this time. 
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ENGINE FAULT PROTECTION 


The objective of the fault protection for the DEEC engine is to provide addi- 
tional aircraft safety and operation in the event of an engine control system anomaly. 
This is accomplished through the FDA logic and the engine protection logic. The FDA 
provides three basic levels of engine operability in the event of an engine control 
system anomaly. The first level maintains normal operation of the engine with noti- 
fication that a failure of a redundant parameter has occurred. The second fault 
accommodation level also maintains normal operation of the gas generator, but inhib- 
its augmentor operation. This level is "instituted" for inputs which are critical 
to augmentor operation but not to the gas generator. Failure of parameters which are 
critical to the safe operation of the engine cause the system to automatically revert 
to the hydromechanical backup engine control. At each of these levels, the failures 
are annunciated through a caution light in the cockpit and specifically identified on 
one of the DEEC diagnostic words. 

The engine protection logic provides an ultimate level of protection in addition 
to the FDA logic and the normal engine control scheduling. The logic is used to 
detect impending overspeeds and overtemperatures as a result of unpredicted multiple 
failures and automatically transfers the engine control to the hydromechanical backup 
system. 


DEEC Engine Fault Protection 
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Objective: 

To provide for additional aircraft safety and operation 
in the event of an engine control system anomaly 

• Failure Detection and Accommodation “Levels” 

1. Maintain normal engine operation 

2. Loss of augmentation maintaining primary mode 

3. Automatic transfer to hydromechanical backup 

• Engine Protect Logic: 

Ultimate engine protection beyond FDA. 
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CONTROL SYSTEM 


The DEEC system shown on the next page incorporates significant fault detection 
and accommodation logic. Part of the FDA methodology which is used in the DEEC 
system is reflected in the amount of redundancy of the system. Dual sensors and 
position transducers are used to achieve redundancy in key parameters such as engine 
speeds, temperatures , throttle position, gas generator fuel flow (WFGG), and rear 
compressor variable vane (RCVV). Redundant coils are present in the torque motor 
drivers for all actuators. Nonredundancy is retained in the less critical parameters 
of pressures, augmentor fuel flow, nozzle area, compressor inlet variable vane (CIVV), 
and aircraft Mach number. 

The DEEC performs internal self-test and memory checks, processor instruction 
tests, interface tests, clock tests, and computational cycle-time tests. The built- 
in test (BIT) during normal engine operation includes: (a) read-only memory (ROM) 

check sum test as time permits during the execution of the control algorithm; 

(b) processor instruction checks as time permits; (c) input range checks: (d) torque 
motor coil testing to determine if the predescribed amount of current is flowing to 
each coil; (e) actuator loop test for torque motor integrity (as in (d)); (f) range 
checks to identify failed resolvers or actuators; and (g) loop dynamic checks for 
degradation of actuator response. These diagnostic test programs are provided for 
the DEEC controller to identify incipient anomalies before they can seriously affect 
the aircraft mission. 

The selective input-output redundancy allows the system to maintain gas generator 
control with any single input-output failure. The control detects hard and soft 
failures of the dual sensors. Hard failures are declared when a sensor exceeds its 
maximum or minimum expected values. Soft failures are declared when the two signals 
disagree by more than a predetermi ned tolerance; the more conservative (safer) sensor 
value is then used. The pressure sensors (fan inlet static pressure (PS2), burner 
pressure (PB), turbine discharge total pressure (PT6M)) are not redundant, but the 
approximate value of one can be determined from the other two pressures. Failure of 
any nonredundant sensor will result in a loss of augmentation capability. Second 
failures of the dual sensors will result in an automatic transfer to the BUC, as will 
failures in the computer internal checks. 
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DEEC Control System Block Diagram 
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FAULT DETECTION AND ACCOMMODATION LEVELS 


The fault detection and accommodation (FDA) shows that when the DEEC system is 
operating without faults, the level of activity of FDA is normal, as illustrated at 
the top of the figure. The next level occurs when the first system fault is detected 
and. one of two possible fault accommodations can take place. One possibility is to 
accommodate the fault internally in the DEEC controller and the second is to transfer 
to the backup control system (BUC). 

The decision to transfer to BUC is based on one of three possible detected condi- 
tions: (a) the DEEC controller has detected a fault which will not allow the con- 

troller to be in charge of the main core fuel flow or RCVV position; (b) the engine 
protection logic has detected a variable (fan rotor speed (Nl), core rotor speed 
(N2), turbine inlet temperature ( FT IT)) is either over the limit condition or its 
rate is such that the variable will reach an over-limit condition; or (c) a hardware 
independent fan speed (Nl ) circuit built into the DEEC controller detects an over- 
speed condition. 

Other faults at this detection level drop down to the accommodation level (third 
level) where one of four operational conditions is selected, depending upon the fault 
condition. The operational accommodation, which has one-for-one hardware redundant 
fault replacement, yields a normal operating system. If the fault lies within the 
augmentor control of segment 3 or 5 (for example, duct metering valve fault), these 
elements are inhibited and the control system has an operational degradation. If the 
fault is more inclusive in the augmentor control, the engine augmentation function is 
inhibited with further reduction in operational capability. Should the synthesis of 
a control variable be required, then additional operational restriction is imposed, 
because the synthesized variable will be a conservative estimate of the replaced 
control variable. When operating in this level of accommodation (three levels down) 
and a second "like" fault occurs, the DEEC control automatically transfers opera- 
tional control to BUC. The sensor failures which are detected by the DEEC FDA logic 
and the resulting actions are summarized in table 1. 


ill 



DEEC Fault Detection/Accommodation 
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Detection 


Accommodation 


Detection 



Accommodation 
















Action 


Table 1 FDA logic and actions 


Failure checks 


Redundant inputs: 


TT2, Nl, N2, RCVV, 

Out of range 

Use in-range/BUC 

FTIT, WFGG 

Soft in range 

Use safer value 

PLA 

Out of range 
Soft in range 

Use in-range/BUC 
Buc transfer 

Single inputs: 

WFC, SVP 

Out of range 
Open loop 

A/B inhibited 

WFD 

Out of range 
Open loop 

A/B limited to 
segment 2 

PS2, PT6M 

Out of range 
Soft in range 

PS2 = PS2SYN 
A/B inhibited 
AJ trim inhibited 
PB soft fail-bypassed 
PS2 or PT6M, and PB 
fail -BUC 

PB 

Out of range 
Soft in range 

PB = PBSYN 
- A/B inhibited 
No stall detect logic 
PS2 or PT6M fail -BUC 

TPS2, TPT6M , TPB 

Out of range 

Sub good temp sensors 
If all fail , fai 1 
pressure 

Feedback sensors - single: 

CIVV 

Out of range 

CIVV full-cambered 
A/B inhibited 

AJ 

Out of range 

AJ full closed 
A/B inhibited 

Other 

Power (dual) 

Out of range 

BUC transfer 

M.N. 

Out of range 

Mach = 0.15, limit set 

Self test (hardware) 

Loss of interface 

BUC transfer 
(critical loss) 

Self test (software) 

Integrity check 

BUC transfer 
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NONREDUNDANT SENSORS 


The functions of the PS2 sensor involve a full-time and part-time importance 
level as it is used in the fan speed request, nozzle request and trimming, and EPR 
request and feedback logic. A declared hard failure of the parameter causes the DEEC 
to use a synthesized PS2, based on corrected engine speed, engine inlet temperature, 
and burner pressure. Augmentor and nozzle trim functions of the engine are inhibited 
by the DEEC. In addition, the soft failure detection logic for burner pressure is 
bypassed as part of the FDA. 

Burner pressure is classified as a full-time critical parameter since it is used 
in the scheduling of the core fuel flow and in the stall detection logic. It has a 
part-time criticality for the acceleration-deceleration limiting and limiting-engine 
burner pressure during high dynamic pressure (Q) conditions. As with PS2, detected 
sensor failures (hard or soft) cause a synthesized PB value to be substituted. There 
is no stall detection logic and augmentation is inhibited with this failure. 

PT6M is used primarily at the intermediate and augmentor operation of the engine 
as part of the EPR feedback logic, blowout detection, and nozzle trimming functions. 
This parameter is not synthesized; hard failures which are detected result in elimi- 
nation of augmentor operations and nozzle trim functions and the bypassing of the PB 
soft-fail logic. 

DEEC Non-Redundant Sensors 
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Function 


Full time— critical 


Full time— important 


Part time— critical 


PS 2 


PB 


Inlet pressure 


Burner pressure 


• Core fuel flow 
scheduling 

• Stall detection 


Fan speed req. 
Nozzle area req. 


• PB limiting 
(high Q) 


• Accel-decel 
limiting (full env.) 


Part time — important 

(Intermediate & 
augmented power) 


• EPR req. 

• EPR feedback 

• Nozzle trim 


Synthesis 



— L x PB= PS2SYN 
PB 

PS2 


PB 

PS2 


x PS2 = PBSYN 


PT6M 

Turbine discharge 
pressure 


• EPR feedback 

• Blowout detection 

• Nozzle trim 


None 

(Augmentation 

inhibited) 

(AJ trim inhibited) 
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NONREDUNDANT SENSOR LOGIC - PS2, PT6M 


The FDA logic of the nonredundant pressure sensors {PS2 and PT6M) Involve checks 
to be performed on the validity of the temperatures and pressures of the transducers, 
and the substitution of the transducer temperatures in the event of a temperature 
failure. The chart below shows the procedure for PT6M. A range check is made on the 
limits of the transducer pressure and temperature, with the sensor being declared 
failed after a specified number cycles. The detection and accommodation logic of the 
transducer temperatures consists of a substitution of the alternate transducer tem- 
peratures, since all three sensors are located together in the fuel -cooled electronic 
unit. 

A check sum is made of the software locations, prior to this logic, to ensure 
there are no internal computer anomalies. If the three transducer temperatures or 
the check sum have failed, the affected pressure is declared failed and the system 
reverts to the BUC control mode. Following the transducer temperature FDA checks, 
the parameter is converted into engineering units and a range check, similar to the 
transducer temperature range check, is made. This particular logic sequence is util- 
ized for the PS2, PB, and PT6M sensors. The PB sensor has an additional in-range 
logic check which compares the sensor value to the synthesized pressure value. 


Non-Redundant Sensors FDA Logic 

(PT6M) 
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Pressure/temperature 
range check logic 


Transducer temperature 
FDA logic 


PT6M logic 
sequence 


TPT6, PT6M 




1. TPT6 range 
check 

2. Temp (xducer) 
FDA 

3. E.U. convert 

4. PT6M range 
check 

5. PT6M soft 
fail check 

If PT6M = fail, 
AJTRIM inhibit 
A/B inhibit 
PT4 soft fail 
bypassed 








REDUNDANT SENSOR LOGIC - TT2 


The fan inlet total temperature (TT2) parameter is one of the redundant sensor 
inputs used by the DEEC. The FDA logic checks for the redundant sensors are a range 
check for out of range and a check for agreement between sensors. If both sensors 
are in range, the sensors are compared. A disagreement between the signals by more 
than a predescribed tolerance causes the higher, or safer, value to be used. If 
either signal is out of range, the good value is used. With both signals out of 
range, an automatic transfer to the hydromechanical backup control is accomplished. 
Similar logic is used for the other dual sensors. 


DEEC FDA Logic - Redundant Inputs 
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FDA - FLIGHT RESULTS 


Extensive testing has been performed on the fault detection and accommodation 
(FDA) logic operation and ability to transfer to BUC under selected failure condi- 
tions. The closed-loop bench test allowed operation of hydromechanical and elec- 
tronic components to be run while operating the engine computer simulation. This 
allowed testing of the FDA by intentionally introducing faults into the system with- 
out the risk of damaging an engine. Additional testing included sea level and 
altitude tests, and simulation testing of selected failures and resulting accom- 
modation process. 

The DEEC diagnostic words provide information on the health of the DEEC system. 
The words are displayed in the control room on the cathode ray tube (CRT) in a matrix 
format, as shown below. Failures which result in a transfer to the BUC mode are 
annunciated in the darker shade. Indication of other system faults are displayed on 
the light background. During the course of the DEEC flight test program, two faults 
were detected and accommodated. The first was a detected failure of the TT2 sensor 
which resulted in the use of the redundant sensor and no loss in performance. Post- 
flight inspection revealed the failure was due to a contaminated connector. The 
second failure involved the PT6M sensor, causing the nozzle trim feature and aug- 
mentor to be inhibited while DEEC engine control was maintained. The failure of the 
sensor was traced to the contamination of a PROM socket at the vibrating cylinder 
transducer. To date, there have been no false failures detected by the DEEC and no 
required transfers to BUC due to control system anomalies. 

FAULT DETECTION AND ACCOMMODATION o^m-aso 
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PT6M FAILURE DURING IDLE-TO-MAXIMUM TRANSIENT 


The turbine discharge total pressure { PT 6M ) failure occurred during an idle-to- 

maximum transient at Mach 0.8 and 30,000 ft. The PT6M signal initially failed to a 

2 2 
value of 92 Ib/in , less than the upper limit of 110 Ib/in . In response to this, 

the nozzle was driven open by the high PT6M signal in an attempt to accommodate the 

nozzle trim logic to hold EPR. The augmentor static pressure (PAB) trace shows the 

actual pressure change near the turbine discharge during the nozzle transient. When 

2 

the PT6M sensor exceeded the 110 Ib/in maximum limit, the failure was flagged 
and the nozzle was commanded to the basic schedule value. 


PT6M Failure During Idle-Max Transient 

M = 0.8, 30,000 ft 
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TT2 FAILURE 


One of the two fan inlet total temperature (TT2) sensors failed following an 
acceleration to Mach 1.4 and 30,000 ft. The TT2 "A" sensor had been intermittent 
just prior to the data shown below, where it became a hard failure. The TT2 fail 

flag was set when the sensor exceeded the -110° F limit. Since the detected failure 
was one of the redundant sensors, no performance loss was noted during the time the 
sensor had failed. 


TT2 Failure 

M = 1.4, 30,000 ft 
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TT2 fail 
flag 



Time, seconds 
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FDA FLIGHT TEST PROGRAM 


Early in the flight program, one of the ground rules was to abort the mission and 
return to base in the event of a failure. As more confidence was gained in the system 
and there was more interest in evaluating the failures in flight, contingency cards 
were made which contained selected testing to be accomplished in the event of a par- 
ticular failure. The opportunity exists to use these procedures by inducing faults 
into the system and evaluating the outcome. 

One of the objectives of the DEEC FDA flight program will be to evaluate the FDA 
logic for the PS2, PB, CIVV, and FTIT sensors by inducing faults in flight. The man- 
ner in which the faults are induced and the test techniques that will be developed 
will be applicable to other programs. The second objective will be the comparison of 
the flight results with predictions and facility results. Included in the comparison 
will be an evaluation on engine performance using synthesized values of PS2 and PB. 
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FDA TEST SCHEMATIC 


The DEEC engine will be modified to allow switches and valves to be installed on 
the sensor lines. The sensor lines to be modified, and FDA logic which will be eval- 
uated, are PS2, PB, CIVV, and FTIT. Selection of the failure mode to be induced will 
be controlled by switches in the cockpit. No changes will be necessary to the DEEC 
software. The configuration of these switches and valves will be such that the 
normal and fail-safe modes allow normal DEEC operation. 


DEEC FDA Test Schematic 
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PS2 


Cockpit switches 
1-5 


CIVV PB 




FTITA 


FTITB 


1 B 2't 44 




Standard 
DEEC computer 
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FDA FLIGHT TEST MATRIX 


The test matrix shown contains all possible faults that may be induced during the 
flight program. The flight conditions selected represent the engine envelope and are 
based on simulation and facility data that are available for comparison. Steady- 
state tests and engine transients will be performed with the failures being induced 
before and during the maneuvers. Computer simulation will be used to evaluate each 
of these test conditions and induce failures prior to the actual flights to ensure 
there are no predicted adverse effects to the engine. Some of these points combine 
dual failures which may not be accommodated in the FDA logic and could result in an 
undesirable engine operating condition. 

The FTIT failures will evaluate the redundant sensor logic. Sensor failures of 
PS2 and PB, both hard and soft, will exercise the nonredundant logic and pressure 
synthesis accommodation. The CIVV failures will be used to evaluate the open-loop 
actuator logic. 


DEEC FDA Flight Test Matrix 
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Test Conditions 



Failure Modes 

.8M, 30Kft 

,8M, 50Kft 

1.6M, 30Kft 

1 . 6M , 50Kft 

2.0M, 50Kft 

Accel, 30K 
.8-1.6M 

Accel, 50K 
.8-2. OM 


A - Fail 

1-5 



1-5 




FTIT 

B- Fail 


1-5 





6 


Both • Fail 

1-5 

1-5 


1-5 

1-5 

6 



PS2, Soft 

1-5 

1-5 

1-5 


1-5 

6 



PS2, Hard 

1-5 

1-5 

1-5 

1-5 

1-5 

6 



PB, Soft 

1-5 

1-5 

1-4 

1-4 

1-5 


6 

PS2 

PB, Hard 

1-5 

1-4 

1-5 

1-4 

1-4 


6 

& 

PB 

PS2, Soft 
PB, Hard 

1-5 

1-5 

1-4 

1-5 

1-4 




PS2, Hard 
PB, Hard 

1-5 


1-4 

1-5 

1-4 




PS2, Soft 
PB, Soft 

1-5 

1-5 

1-4 

1-5 

1-4 




PS2, Hard 
PB, Soft 

1-5 

1-5 

1-4 

1-5 

1-4 



CIW 


1-4 


1-4 



6 



Legend 1 = Idle, steady-state 4= I/M - 1 snap 
2= Idle - I/M snap 5- 1 -max snap 

3 = I/M, steady-state 6 = Fixed throttle 
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CIYV COMPARISON 


Detection of a failure of the compressor inlet variable vane (CIVY) position 
feedback results in the CIVVs being commanded to the full-cambered position. This 
position, while it is a fail-safe mode, produces a significantly lower stall margin 
than the nominal schedule. The figure below illustrates the predicted amount of 
reduced stall margin at 30,000 ft with the CIVV failed to the full camber position. 
Because of the reduced fan stall margin, augmentor operation could result in stalls. 
Therefore, a CIVV failure inhibits augmentation. The flight test results with this 
failure will include nonaugmented transients and airplane maneuvers. 


Effects of Failed CIVV on Fan Stall Margin 

Results from DEEC Simulation 
30,000 ft 
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30 
25 
20 

Fan stall 
margin, 15 
percent 

10 
5 

0 0.2 0.4 0.6 0.8 1.0 1.2 1.4 1.6 

Mach number 
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PB COMPARISON 


The figure below shows altitude facility data on the effect of a failed burner 
pressure (PB) sensor on the engine thrust during an idle-to-maximum snap at Mach 0.8 
and 30,000 ft. The facility data shows the accommodation of the failure by inhib- 
iting augmentation and scheduling the engine, using a synthesized burner pressure 
input. The flight results will be compared to facility data such as these, and 
include an evaluation of engine performance using a synthesized PB. The knowledge 
gained from the flight-program will be used to expand the existing data base of FDA 
information and include test techniques and validation processes of simulation and 
facility information. 


Effect of Failed PB Sensor on Thrust 

M = 0.8, 30,000 ft 
Idle-to-Max Snap 
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CONCLUDING REMARKS 


The FDA methodology used in the DEEC is a fairly simplified parametric comparison 
process, but represents about 40 percent of the DEEC control program. The extensive 
testing and development of the FDA have included closed-loop bench tests, sea level 
and altitude engine tests, and computer simulation. This has resulted in a high 
level of confidence in the DEEC FDA logic. Successful fault detection and accom- 
modation have been demonstrated with the flight failures of the PT6M and TT2 sensors. 
To date, there have been no false failures or required transfers to the backup 
control because of control system anomalies. The high degree of confidence in the 
DEEC system and the opportunity to expand the FDA data base to include additional 
flight data has made future flight evaluation of the DEEC FDA a highly desirable and 
realistic goal. 


Summary 
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• DEEC FDA is a fairly simplified methodology, but 
represents a significant portion of the control program 

• Testing of FDA included closed loop bench tests, 
sea-level and altitude engine tests, and 
computer simulation 

• Flight failures of PT6 and TT2 demonstrated successful 
fault detection and accommodation 

• There were no false failures or required transfers 
to BUC due to control system anomolies 

• Further flight evaluation of the DEEC FDA is a 
highly desirable and realistic goal 


126 



